My WFH Story with Versa Secure SD-WAN (Part 2)

Part 2 of a 3 part series (read part 1 and part 3)

Now, my journey. I requested a Versa Cloud Services Gateway appliance, specifically the CSG750-WLA (that’s our 750 series appliance with an integrated Wi-Fi AP (Access Point) and an integrated cellular modem for LTE). I submitted a request to our Versa Titan operations team [sent an internal PO] to create my organization and provide me with licenses for 4 sites – each license was the Versa Titan CSG750-Advanced Security software license. The Advanced security license provides routing, SD-WAN, NGFW, URL Filtering, AV and NG-IPS [for those who are curious the Versa Titan Enterprise base software license provides everything but AV and NG-IPS]. Sure, while I am a Versa Networks employee, you could argue acquiring this is straightforward, but I wanted to also test the purchasing and orchestration elements of the Versa Titan Service [similar to how a customer or partner would engage with us]. After submitting the order, I was provided with my “Welcome Email” to do the following:

Login to the Versa Titan Cloud Portal and set my initial password along with download a mobile application [for me I am an Android guy, so I went to the Google Play Store to download the Versa Titan mobile app].  After logging in I simply dragged a license onto the dashboard to create my first site, my home office. My site was pre-configured for everything prior to me even touching any configuration knobs. What was pre-configured you ask?

  • Each WAN port (2) was preconfigured for Split-tunnel functionality [VPN and Internet]
  • LTE was preconfigured to back up my wired WAN links
  • Wi-Fi came preconfigured with multiple SSIDs [Corporate for VPN access (SDWAN) and Guest for DIA only)
  • LAN ports all came preconfigured with IP addresses and DHCP Server pools
  • Security was preconfigured for URL Categories and Reputation, AV scanning for email and NGIPS was preset for a Versa Recommended profile
  • SDWAN Traffic Steering was preconfigured with 4 intuitive categories (Real Time, Business Critical, Default and Low Priority)
  • Application QOS was preconfigured to match each category: Real Time was EF, Business Critical was AF, Default was default priority and Low Priority was given no priority queue)
  • Each category was preconfigured for relevant SDWAN SLA parameters (low latency, jitter, delay) per each category type along with having applications already pre-added for identification
  • DIA (or local internet breakout) was also pre-configured for load-balancing and to prioritize traffic based on the same Application QOS configuration mentioned above.

At this point I only changed a few parameters (LAN side addressing) and NGFW policies to protect lateral communication between two different network segments along with some policies I wanted to explicitly allow. I then hit “Deploy” and selected Bluetooth from a selection of three possible activation methods [Bluetooth, Wi-Fi and GZTP (Global ZTP)].  This took me about 5 minutes from setting up my password, it took me longer to unbox the CSG, power it up, cable it and cable my other in-home devices and switches. I then logged into the mobile application I downloaded on my Google Pixel XL, selected my office [my site] and was presented immediately with a notice to “Activate Device”.  With the CSG powered on, I hit activate.

My phone, using the Mobile app, discovered the Versa CSG appliance, authenticated and began to configure it right out of the box out-of-band with the configurations I mentioned above. In about 7 minutes, my CSG had rebooted and the mobile application then indicated to me that my Versa Titan appliance and site was successfully deployed and activated.  Voila! In about 12 minutes with minimal touch and effort I had successfully deployed my first Versa Secure SD-WAN site. I replicated this process for a few virtual instances to setup the rest of my fabric and broader network:

  • Virtual instance in AWS (cx5.large instance type) to act as a cloud gateway specifically for my Zoom and RingCentral traffic (I could have also used the system of Versa Cloud Gateways, but opted to deploy my own for testing)
  • Virtual appliance (VM on a KVM hypervisor) as a test site

This whole process for 3 locations took about 20 minutes [took me longer to launch my CloudFormation template to deploy Versa Operating System VOS™ as a cloud-gateway and wait for AWS to do its thing]

For my fourth site, I needed some help from a colleague at our corporate office to cable up an appliance and activate it for me at headquarters. After creating a temporary Enterprise User account [limited control] in my organization for them, talked them through it over a Zoom with screensharing and again <10 minutes later the corporate Versa Titan site was online.

Logged into the portal and within a few seconds of successful activation notice, I was able to see my sites all online and green. My initial architecture was using our default topology setting which was Full-Mesh (Because of various demos and expanding the team I have moved to a hybrid topology – both Full Mesh for some sites and Hub-and-Spoke for others). What this means is that by default every site I turned up created an SD-WAN IPsec tunnel to each other and began redistributing LAN side routes into the SD-WAN fabric. Route redistribution and updates all happened without me needing to configure anything, our default configuration ensures any site in the same organization will build SD-WAN tunnels. It is also worth noting that the only thing I had to activate or do was the following:

  • Change my account password
  • Create the sites
  • Slightly modify and customize my site-specific configurations for LAN side parameters [since I had an existing IP schema]
  • Add a temporary Enterprise User for some on-site assistance in San Jose to activate a Versa Titan CPE at HQ

What I did NOT have to do was the following:

  • Install an orchestrator and management application
  • Install and configure any provisioning servers, nodes, or staging servers
  • Install any SDWAN Controllers
  • Configure any templates from scratch
  • Configure any SDWAN Traffic steering policies and SLAs from scratch
  • Configure any QOS policies or schedulers
  • Create any zones
  • Create any virtual routers
  • Create any CGNAT policies or rules for DIA
  • Create any split-tunnels parameters
  • Add interfaces [LAN, Wi-Fi or WAN]
  • Create any IPS profiles
  • Create any URL Filtering or Reputation rules and profiles
  • Configure any VPN settings

Everything above was done already due to the Versa Titan service hosted in the cloud. Leveraging our multitenant capability across the stack, my organization was created as a sub-tenant to the larger Versa Titan Cloud service, which also provided my organization with pre-configured templates to deliver secure branch connectivity (e.g. Secure SD-WAN). I only needed to worry about the branches [sites]

In part 3 I share all the things my home office is equipped to do by default and share details about the advanced features I enabled for my home deployment of Versa Secure SD-WAN.